News

Category: News

MELTDOWN-SPECTRE: THE MESS CONTINUES

The fallout from the Meltdown and Spectre CPU bugs rolls on. There’s a lot of reading on this topic, but here are some of the bullets you need to know:

  • According to one experienced tester, the Meltdown patches “introduce the largest kernel performance regressions I’ve ever seen.”
  • The early patches might be causing more harm than good … and it’s not just the performance hit. As noted by Security Week, “Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently.” Major software vendors including Microsoft stopped the patches due to instability.
  • Attacks can be exploited by JavaScript in a Web browser … and proof-of-concepts are already floating around in the wild, according to ZDNet.
  • Intel is coming out with a new set of patches that supposedly avoid the reboots and other problems noted earlier. But considering Intel’s history of attempting to spin its way out of this PR mess and releasing half-baked fixes, I would take the news with a grain of salt.
  • Long-term, the entire world has a big security problem on its hand that won’t be fixed until silicon platforms are rearchitected AND older systems are patched or replaced. This could take years.

If you’re trying to play catch-up with these flaws, the best to start is on this page created by security researchers, which includes links to advisories and patches put out by major vendors.

A look at the future of Augmented Reality from #ARinAction

PPR visited the #ARinAction Industry Summit, which took place at the MIT Media Lab on January 16-17. This is a great event to not only see the future of AR, but also to learn how augmented reality is being applied in industry today. Here are some highlights:

  • Near-instant 3D model creation of interior spaces just a few years away? “In the next year or two there will be devices that can capture a 3D model of a room in a few seconds,” said Mark Billinghurst, Professor of Human Computer Interaction at the University of South Australia. If he’s right, and the models are accurate, this greatly reduces the requirements for 3D model creation in closed spaces, which could be a boon for AR as well as industrial IoT applications that require spatial data.

  • PTC’s Mike Campbell trotted out some industrial AR demos which were slick … yet didn’t look that convincing. For instance, one showed Ford engineers or designers wearing Hololens headsets and looking at data layered on top of a model sports car. It was neat, but it didn’t seem like the value delivered from this experience was superior to screen-based or paper alternatives.

  • PTC wasn’t the only one showing off unconvincing AR demos. One of the academic presenters had an AR tool for demonstrating math and physics concepts to students, which looked cool, yet also seemed complicated and costly. There are not many school systems that could realistically invest in hardware, training, and content to make this work for their students.

  • On the other hand, the DHL augmented reality system demonstrated by PTC seemed to be an effective solution for a real industrial use case. It is used to find and track items in a large logistics operation, and seems more promising, as it’s hands free and speeds the completion of specific tasks. This is similar to the Google Glass system used by AGCO to track completion of manufacturing tasks, and may even be competitive with other IoT logistics systems entering the market, such as ProGlove.

  • Speaking of Google Glass, it was barely mentioned at ARinAction. This surprised me … isn’t Google trying to reposition Glass for industrial use? But then Steven Feiner of Columbia University shared a piece of information that might explain why Glass was MIA from the conference: Google Glass is not really augmented reality: “Google Glass isn’t a true AR display,” Feiner said. “It can’t handle overlays, for one … Doesn’t have stereoscopic view, either.”

  • Solos AR glasses for cycling based on Kopin componentsInnovations from the military are making their way into industrial and consumer devices. John Fan, the CEO of military supplier Kopin presented an example – the heads-up displays used by F-35 pilots have led to technologies that can be used in AR-equipped firefighting helmets from Scott Sight. There was also a prototype cycling AR display (see inset photo) that used Kopin components. Fan shared a relevant observation about helmet-based AR: “Basic premise: humans don’t want to wear things on their heads,” he said, explaining that the technology has to deliver real value to get them to wear headsets … and keep them on. This is true for military and public safety uses in which lives are stake, but perhaps less so for other applications.

  • “Interim devices” are the trend in augmented reality for the next 10 years, according to futurist and author Charlie Fink. “For AR to realize its potential, it needs to know you, and where you are, and it has to have access to data,” Fink said. “We’re not there yet.” He stated that a lack of infrastructure and key breakthroughs are holding back AR.

  • There is a lot of froth in the marketplace. Analyst Tim Merel, a former engineer, noted the arrival of ARKit and other AR tools from Facebook, Tencent, and others, which fuels interest in the field. Nevertheless, “there are even more VCs than there are startups,” he said. Merel noted “mobile AR still at the very early stages” and exits will be relatively small in the near term, as dominant companies have yet to emerge.

Endpoint: It was interesting to see some of the trends and examples in augmented reality, but at the same time there seems to be a lot of wishful thinking among some of the technologists, academics, and investors, not to mention a fair number of research projects or proof-of-concept applications that won’t go anywhere. Just because a technology is cutting edge and dramatic doesn’t mean it will be useful out in the field … or that humans will want to use it.

CES 2018 trends: AI, VR/AR, and a hint of 5G

The annual Consumer Electronics Show in Las Vegas isn’t just a gathering of gadget and toy manufacturers. CES 2018 had a lot of presentations, talks, and displays by vendors targeting industrial users. Here are some other CES trends worth noting:

AI assistants: Google dominated CES with announcements related to Home and other AI-powered assistants. While Google’s voice-controlled assistants don’t seem very relevant to industry, take the long view: Just as the Web and smartphones burrowed into industry after conquering the home, so will voice-controlled AI. Google, Amazon, and others are pouring billions into AI R&D, and the end result will be much more than ordering pizzas from your couch. Imagine voice-controlled devices, status updates, or diagnostics on the factory floor or out in the field — or synthetic voices that are indistinguishable from real humans. The physical form factor will surely be different, but it will be a game changer for many industrial users.

VR/AR: 3D graphics have already had an impact on certain areas of industry (CAD and some emerging uses of Google Glass spring to mind) but I am skeptical that the latest generation of VR headsets and haptics technology making much headway into industry. I’ve been around long enough to see misguided 3D hype lead corporate customers down the wrong path (anyone remember Second Life?) and I suspect the latest crop of VR technologies will remain more of a consumer phenomenon. Industrial operators aren’t going to put on a full-immersion VR headset, although there may be some applications for remote operation, evaluation, and training (as healthcare startup SimForHealth demonstrated at CES). AR looks more interesting, and Glass shows that there are some niche applications that can help companies save money and time.  

Smart Cities. There were reportedly more “smart city” vendors than companies selling gaming products or drones. The displays around smart cities had lots of eye candy when it came to autonomous vehicles and IoT-enabled homes, but a less-visible technology was the recently approved 5G standard. Qualcomm, Samsung, Ericsson, and other companies were hyping the heck out of 5G, but on the show floor there wasn’t much hardware to show in the smart city pavillion or elsewhere. That will likely change next year, as vendors bring their 5G-capable devices to the show, not only for the consumer market but also industrial uses.

Joe Weiss on industrial security standards: “This is about facilities being destroyed and people being killed”

PPR interviewed Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, on a new initiative by the ISA99 committee of the International Society of Automation to create security standards for industrial sensors, actuators, and drives. In the ISA-95 reference architecture, these devices and their controllers correspond to level 0 and level 1. The interview has been edited for clarity.   

PPR: What’s the implication of billions of IoT devices coming online in industrial settings?

Weiss: I have some problems with the estimates. They’re mixing fitbits and refrigerators with industrial process sensors and controllers. A process sensor in a power plant or a pipeline is very different than a home sensor. The vast majority of new sensors are not for industrial applications, and that’s getting lost.

There’s certainly a big number, but it’s not the billions that many IoT think tanks keep mentioning.

PPR: Is Mirai a sign of what’s to come in the future, or do you think that companies and governments have a good handle on IoT security?

Weiss: They don’t. ISA99 is starting a new working group on what’s called Level 0-Level 1, because none of our major industrial vendors makes secure, authenticated process sensors, actuators, or drives.

PPR: But the standards are in place, aren’t they?

Weiss: No! That’s exactly why we’re starting the ISA99 Working Group. What’s happened is very simple: IT has led cyber security. So cyber security has been all about the networks, as that’s what IT knows. The process sensors actuators and drives are engineering systems. Consequently, they have not been given security consideration.

We’re talking pipelines, power plants including nuclear, trains, manufacturing, water systems, and buildings. Security hasn’t reached what you measure and what you control. In other words, the things that actually cause control to happen, such as a motor or a valve or a damper, doesn’t yet have security or authentication.

PPR: When you hear vendors talking about their security, actually what they’re talking about is IT security, then.

Weiss: What they’re talking about is the network. And the things you keep hearing about are IT/OT convergence. But that doesn’t include the sensors, actuators, or the drives (Level 0,1). Yet, it’s the level 0,1 devices that are most critical for safety.

PPR: Why has it taken so long for ISA or other organizations to turn to the specific problems you’re talking about?

Weiss: Because Level 0,1 is engineering not networking. And the engineering/IT divergence goes back to 9/11 as I mentioned in my December 11th blog on a brief history of ICS cyber security.

The turning point was 9/11, because before 9/11, the organization that owned these systems also “owned” cyber security of those systems. However, on 9/12, the day after 9/11, cyber security became national security and cyber security moved to IT. As IT generally does not understand ICS, we’ve been suffering with their view of cyber security since.

My analogy of, ‘if you’re a doctor and you can’t trust your temperature or your blood pressure readings, how can you make a diagnosis?’ describes the culture problem that continues to exist. All of IT cybersecurity is about making the diagnosis. Almost nobody is asking, can we even trust the sensors which is at the heart of IoT. Yet IoT is all about more sensors using high-powered data analytics. If you can’t trust your sensors, what does that mean about IoT?

PPR: Who will be participating in the Level 0-Level 1 initiative?

Weiss: As of this morning’s (December 14th) call,  we had vendors, end –users, consultants, and even a government representative – from Germany. But basically Level 0,1 devices are not in the “sweet spot” for most cybersecurity firms. What cyber security organizations have done up till now is assume that whatever the sensors are telling you must be correct. And what the cyber security organizations have done is spend their efforts on the networks.

PPR: Could you name some of the vendors that are participating?

Weiss: Today was the initial call and we had representatives from Siemens, Schneider, Honeywell, GE, and Cisco participating. I would hope all of the ICS vendors and cyber security practitioners will eventually participate as the lack of Level 0,1 security is a risk issue for everyone in this space.

And let me give you a scary story. I gave a presentation at the this year’s DEFCON conference on the lack of level 0,1 security. On October 24th as I was getting ready to give the state of the state presentation at the Security Week ICS Cyber Security Conference, I happen to look at my LinkedIn account.  I had a ‘like’ from that Defcon presentation and it turned out to be from a senior engineer in Iran – they know! Think about that as today Fireeye identified a safety system being hacked in Saudi Arabia and I think it is safe assumption to say it was from Iran.

The lack of Level 0,1 security hits at the heart of IIoT. It also hits at the heart of the industrial cloud because every cloud vendor assumes that all sensor input is secure and authenticated.

PPR: So let’s assume that ISA 99 kickoff meeting goes well, and there’s an initiative to establish standards for these different types of things.

Weiss: The first task is to review the existing standards and identify gaps with respect to Level 0,1 devices. Additionally, Level 0,1 device issues are not just cyber security but also affect process safety. Level 0,1 devices are what the network cyber security doesn’t adequately address. Yet, this is where facility and personal safety are at risk.

PPR: Now as you know an initiative like this is going to take many years to actually start getting somewhere.

Weiss: You’ve got to start somewhere. I had identified the Level 0,1 issue as far back as 2000 when I helped start the cyber security program for the electric utilities. And it’s kind of a damning statement to say it’s now almost 2018 and we haven’t even started.

The lack of Level 0,1 cyber security is a major risk which has nothing to do with somebody stealing data. This is about facilities being destroyed and people being killed. So I would expect the vendors are going to actively involved because they are at risk too. I believe they want to know what’s the right thing to do. This is not a me vs. them situation. This is, ‘whoops, we forgot something.’

PPR: In the meantime, what does a manager of a power plant or a factory do?

Weiss: We’ve got to educate people to even look under the rock. What they do now, is they pick up their feet and step over the rock. This means understanding the unique issues with ICS cyber security starting at Level 0,1. We also need technologies to monitor Level 0,1 devices BEFORE they become Ethernet packets. So far, there is at least one company working in this area.

What they assumed was it’s the Internet that’s the problem. The Internet is a problem with the network. Therefore, that’s where people went.

PPR: Many industries consider themselves to be vertically oriented.

Weiss: No. The same Rockwell programmable logic controller used in power plants are also used in water, oil, gas, chemicals, manufacturing, railroads, amusement parks, breweries, ships, and buses. Consequently, the approach ISA 99 took is develop cyber security standards and recommended practices that would be applicable for pipelines, etc. There is no difference! Consequently, the concern with the revelation today about the cyber attack of the Triconex PLC because this device is used in many industries including nuclear plants, refineries, chemical plants, water systems, etc.

PPR: Is the Government going to have anyone there?

Weiss: My co-chair is from the Oak Ridge National Laboratory. Other than my co-chair, the only government representative on today’s call was from Germany.

Weiss writes about industrial security at the Unfettered Blog.

Parsing Amazon’s FreeRTOS announcement: Interesting, “but kind of strange”

roy murdock VDC researchThe December 4 edition of PPR talked about some of Amazon’s IoT and cloud announcements at the AWS Re:Invent conference in Vegas. Amazon’s move to take over development of the FreeRTOS embedded operating system was a surprise to many. PPR reached out to Roy Murdock, Analyst, IoT & Embedded Technology at VDC Research, to get some context around Amazon’s FreeRTOS announcement. As Murdock notes, it’s not just the vendors for sensors and microcontrollers that will be impacted.

PPR: What’s Amazon’s big play here with FreeRTOS?

Roy Murdock: One of the reasons we saw this as a really interesting (but kind of strange) move is that the IoT & Embedded Operating System (OS) market is a mature market that’s in decline right now in terms of revenues.

One of the numbers that we cite in terms of more recent revenue figures is that from 2015 through 2020, we expect the compound annual growth rate on average for that market is really only around 2 percent. It’s not a high-growth market, and it’s really not a market that a lot of companies are looking to get into right now.

In fact, a lot of acquisitions and mergers are happening right now are talked about in the IoT & Embedded OS market. So there’s a lot of consolidation going on. It’s an uncertain time for the companies in that marketplace.

It’s interesting that Amazon has decided to get into this marketplace given the low growth expectations. But in terms of your original question why would they be doing that, while revenue growth is pretty slow, is muted, is slowing down, expected to slow down, unit growth is actually growing very strongly.

So given IoT, given the ubiquity of sensors and MCUs and small chips and whatnot going into devices these days, which all require operating systems (usually an RTOS for a lot of these really small MCU/DSP-based systems) the unit growth is actually very strong.

We see in the future Amazon taking a lead in RTOS by unit shipments such as FreeRTOS which you know doesn’t generate much revenue for the company given that it’s free, but does capture a large share of the unit shipments, and taking those unit shipments and trying to get some of those devices onto AWS to generate services revenue.

So that’s what we think Amazon’s long-term play is. That’s what they’ve said their long term play is, it is really not too much of a secret. They’re providing a free onramp for a lot of those small devices to get hooked up and start generating data and generating services revenues through AWS.

PPR: One thing that was missing from the announcement page on the Amazon Web site is there weren’t any other vendors that were mentioned.  

Murdock: They do have a few vendors in place, one off the top of my head would be NXP. So they do have a few hardware vendors in place that are set up to kind of support this announcement.

And one of my coworkers was joking. He is more on the hardware side, but he was joking, ‘Everybody is going to want to slap an AWS FreeRTOS sticker on their hardware in the days to come.’ Especially some of these guys like NXP who are making MCUs and some of the smaller-resource hardware.

PPR: The other part of this announcement concerns AWS Greengrass, which puts a local instance of AWS, so it doesn’t have to be connected to a public cloud. Is that what it’s all about?

Murdock: That’s exactly what it is. FreeRTOS would be running on an MCU, or Greengrass would be running on a gateway, a Linux-based system usually with 128 megabytes of memory or more. So, a pretty high-resource system, but it would be running a local instance of AWS IoT which is the data ingestion/data sync portion of AWS’ service.

So the idea there was mostly that there are a lot of companies that would want gateways running locally that might have that might be in environments where they’d have spotty connectivity. So devices at the edge could sync up to Greengrass which wouldn’t have to Always be connected to AWS, the cloud portion of the IoT deployment.

So when the device communicates into Greengrass, it could store some of this data locally. And when that connection to AWS IoT in the cloud is available, then push that data to a cloud and sync things up.

And it could also run some edge compute locally instead of having to send everything to the cloud. You could run an algorithm to say ‘hey, this is the data I want to send up to the cloud.’ You can run edge analytics with Greengrass.

PPR: There’s a lot of vendors out there, and a lot of choice that these vendors have. Is the Amazon FreeRTOS announcement a real game changer, or vendors can already go to somebody else if they want to have this type of MCU/operating system/software stack behind it?

Murdock: I think it’s a real game changer for two different types of competitors, in that these two groups of competitors should be scared given this announcement.

Number one would be your traditional kind of MCU/RTOS vendors. In the past that would have been Micrium and Express Logic, vendors that ship hundreds of millions of RTOS systems into MCUs every year. Those guys have already been under attack by FreeRTOS for a long time. Of course, they had some protection in the types of systems they’re getting into that required safety certification or required some type of commercialization effort.

And then Micrium had actually gotten acquired by Silicon Labs last year. So they were they’re no longer really challenged by this announcement because they’re out of the game now, they’re under a hardware makers wing, so to speak. Express Logic is definitely feeling the heat right now, as are a few other smaller MCU vendors. That would be the first class of vendor that’s looking to be acquired or looking to really get out of that space, because Amazon is going to make it extremely hard for them to compete against (the already very-popular) FreeRTOS.

The second class of vendors that should feel the heat, and should kind of re-evaluate their OS strategy in light of this, would be Google and Microsoft. So the the cloud competitors on the Amazon side. And obviously both of them have OS ecosystems. Microsoft has Windows, and has Windows 10 IoT core, which is it’s not exactly an MCU-class operating system ecosystem, but it is a kind of smaller-scale Windows. And Google has Android.

So they both have operating system ecosystems to play with. But neither of them has just the sheer reach in the MCU engineering space that Amazon now has with AWS FreeRTOS. So they should both be kind of concerned about how many devices Amazon is really going to be able to drive onto AWS through this acquisition.

PPR: What about other cloud vendors out there on the enterprise side? Off the top my head I’m thinking IBM, Oracle, and there’s some other enterprise players. Do they have any kind of operating system partnership or assets that they could bring to the fray?

Murdock: Good question. Nothing that would call to mind the direct control that Microsoft and Google have over operating system ecosystems. So I would say that is kind of a secondary thought. I mean it is a good point. IBM, Oracle some of those other kind of enterprise cloud guys could have also benefited from an OS partnership like this one.

PPR: What does this mean for the actual companies that will be using these sensors and MCUs. The OT staff or the IT staff. Does it really make much of a difference to them about about this type of announcement from Amazon?

Murdock: I think it will make the migration path a lot easier. Especially in the OT side who are just looking to get sensors hooked up to their machinery on the work floor or shop floor. I think it will create a much easier path to get the devices onto the cloud, and that obviously continues to be a huge friction point. Especially in safety-critical or time-sensitive networking environments.

So I think you’re going to see Amazon pouring a lot more more investment into that path of getting those types of engineers, getting their sensitive data or running analytics into the cloud. Otherwise it wouldn’t make sense financially for them to do this acquisition.